Our rule format guarantees that probabilistic bisimulation is a congruence w.r.t. .... Def. 1 respects the generative (or full) model of probabilistic processes [11],.
Probabilistic Congruence for Semistochastic Generative Processes Ruggero Lanotte and Simone Tini Dipartimento di Scienze della Cultura, Politiche e dell’Informazione, Universit` a dell’Insubria, Via Valleggio 11, I-22100, Como, Italy Abstract. We propose an SOS transition rule format for the generative model of probabilistic processes. Transition rules are partitioned in several strata, giving rise to an ordering relation analogous to those introduced by Ulidowski and Phillips for classic process algebras. Our rule format guarantees that probabilistic bisimulation is a congruence w.r.t. process algebra operations. Moreover, our rule format guarantees that process algebra operations preserve semistochasticity of processes, i.e. the property that the sum of the probability of the moves of any process is either 0 or 1. Finally, we show that most of operations of the probabilistic process algebras studied in the literature are captured by our format, which, therefore, has practical applications.
1
Introduction
Probabilistic process algebras have been introduced in the literature (see, among the others, [2, 3, 8, 9, 10, 11, 13]) to develop techniques dealing with both functional and non-functional aspects of system behavior, such as performance and reliability. Probabilistic transition systems (PTSs, for short), which extend classic labeled transition systems by some mechanism to represent the probabilistic choice, have been employed as a basic semantic model of probabilistic processes. In order to abstract away from irrelevant information on the way that processes compute, several notions of behavioral equivalence and preorder have been considered. Probabilistic bisimulation relates two processes iff they have the same probabilistic branching structure. In the process algebras of [2, 3, 8, 9, 10, 11, 13]), probabilistic bisimulation is a congruence w.r.t. all operations, which is an important property to fit it into an axiomatic framework. Usually, PTSs are defined by means of a structural operational semantics [14, premises 15] (SOS, for short) consisting of a set of transition rules of the form conclusion , which, intuitively, determine how probabilistic moves of processes can be inferred by probabilistic moves of other processes. A set of syntactical constraints on the transition rules is called a transition rule format [16]. In the area of classic (i.e., non-probabilistic) process algebras, rule formats have been widely employed to fix results holding for classes of process algebras. For instance, several rule formats proposed in the literature ensure that a given behavioral equivalence is a congruence (for a survey see [1]). Other rules formats ensure that a given property of security is preserved by process algebra operations [17, 18]. V. Sassone (Ed.): FOSSACS 2005, LNCS 3441, pp. 63–78, 2005. c Springer-Verlag Berlin Heidelberg 2005
64
R. Lanotte and S. Tini
An interesting issue is to develop rule formats for probabilistic process algebras. To take a step in this direction, we propose a rule format for process algebras respecting the generative model of probabilistic processes [11], which requires that a single probability distribution is ascribed to all moves of any process. Such a generative model differs w.r.t. the reactive model of probabilistic processes, which requires that the kind of action of any process is chosen nondeterministically, and that, for any action and any process, a probability distribution is ascribed to the moves of that process labeled with that action. Our format admits transition rules of the following form: Aj ,pj
ai ,pi
B
h {xi −−−→ yi | i ∈ I} ∪ {xj −−−→ | j ∈ J} ∪ {xh −−→ | h ∈ H}
a,
i∈I pi
·wρ
j∈J (1−pj ) − f (→ x ) −−−−−−−−−−−→ t
Hence, our format extends the classic de Simone format [16] with probability Aj ,pj
(i.e., a probability value p appears in transition labels), premises xj −−−→ meaning that the argument j of f performs actions in the set Aj with total probability B
h pj , and premises xh −−→ meaning that the argument h of f performs at least one action in the set Bh . Then, to give a semantics to a given process algebra, we require that the transition rules are partitioned in n strata R1 , . . . , Rn , for some n ∈ IN. The interpretation is that the moves of a given process t can be inferred from rules in Ri only if no move of t can be inferred from rules in Rj , for any j < i. Hence, the partitioning gives rise to an ordering relation between transition rules analogous to those introduced for classic process algebras in [19]. We prove that process algebra operations captured by our format preserve semistochasticity of processes, i.e. the property that the sum of the probability of the moves of any process is either 0 or 1. This is a central issue in the theory of probabilistic processes, since semistochasticity is required by most of authors, such as [3, 5, 8], which concentrate on so called semistochastic languages [11]. Then, we prove that probabilistic bisimulation is a congruence w.r.t. all operations captured by our format. To show that our format has practical applications, we prove that it captures most of operations of the probabilistic process algebras proposed in the literature. Finally, we prove that our format can be enriched by double testing as in GSOS format [7], and by look ahead as in tyft/tyxt format [12]. We discuss also the possibility to admit predicates, as in formats path [4] and panth [20]. We discuss the related work [6], where a very preliminary rule format for the reactive model of probabilistic processes is introduced.
2
Background
Let us begin with recalling the model of probabilistic transition systems. For any set S, let M(S) denote the collection of multisets over S. Definition 1. A probabilistic transition system (PTS, for short) is a triple (S, Act, T ), where S is a set of states, Act is a set of actions, and T ∈ M(S ×
Probabilistic Congruence for Semistochastic Generative Processes
65
Act × (0, 1] × S) is a multiset of transitions such that, for all states s ∈ S, {| p | ∃a ∈ Act, s ∈ S : (s, a, p, s ) ∈ T |} ∈ [0, 1]. Def. 1 respects the generative (or full ) model of probabilistic processes [11], where a single probability distribution is ascribed to all moves of any process. On the contrary, we recall that the reactive model admits that the kind of action is chosen nondeterministically, i.e. the multiset T satisfies the following property: for all states s ∈ S and actions a ∈ Act, {| p | ∃s ∈ S : (s, a, p, s ) ∈ T |} ∈ [0, 1]. Definition 2. A state s ∈ S is semistochastic iff {| p | ∃a ∈ Act, s ∈ S : (s, a, p, s ) ∈ T |} ∈ {0, 1}. If this sum is 1 then s is stochastic. A PTS is semistochastic iff all its states are semistochastic. As in [3, 5, 8], we concentrate on semistochastic PTSs, which are the semantic model of the so called semistochastic languages [11]. a,p We write s −−→ s to denote that (s, a, p, s ) ∈ T , and we call s and s source and target of the transition, respectively. For a set of actions A ⊆ Act, we write A,p a,q s −−→ to denote that {| q | ∃a ∈ A, s ∈ S : s −−→ s |} = p. If this multiset is A,0
A
empty, then we write s −−→. Finally, we write s − → to denote that there is at least one transition (s, a, p, s ) in T with a ∈ A, for some p and s . Before defining probabilistic bisimulation, we need some definitions. For an equivalence relation R over S, we write S/R to denote the set of equivalence classes induced by R. Definition 3. µ : S × Act × 2S → [0, 1] is the function given by: ∀s ∈ S, ∀a ∈ Act, ∀S ⊆ S a,p µ(s, a, S) = {| p | s −−→ s and s ∈ S |} Definition 4. An equivalence relation R ⊆ S ×S is a probabilistic bisimulation if (s1 , s2 ) ∈ R implies: ∀S ∈ S/R, ∀a ∈ Act, µ(s1 , a, S) = µ(s2 , a, S) The union of all probabilistic bisimulation is, in turn, a probabilistic bisimulation. We denote it by ≈, and we write s1 ≈ s2 for (s1 , s2 ) ∈≈. Let us recall now the notions of signature and term over a signature. A signature is a set Σ of operation symbols together with an arity mapping that assigns a natural ar(f ) to every f ∈ Σ. If ar(f ) is 0, f is called a constant. For a set of variables Var, ranged over by x, y, . . . , the set of (open) terms T(Σ, Var) over Σ and Var, ranged over by s, t, . . . , is the least set such that: 1) each variable x ∈ Var is a term; 2) f (t1 , . . . , tar(f ) ) is a term whenever f ∈ Σ and t1 , . . . , tar(f ) are terms. Closed terms are terms that do not contain variables. A substitution is a mapping σ : Var → T(Σ, Var). With σ(t) we denote the term obtained by replacing all occurrences of variables x in term t by σ(x). The abstract syntax of probabilistic process description languages is usually given by a signature Σ, whose closed terms are called probabilistic processes. The semantics is usually given by a PTS, where states are probabilistic processes.
66
R. Lanotte and S. Tini
3
Definitions
In this section we introduce the notions of PB transition rule and PB transition system specification (PB stays for probabilistic bisimulation). → Definition 5. For any operation f ∈ Σ and tuple − x = x1 , . . . , xar(f ) of variables, a PB transition rule ρ is of the form Aj ,pj
ai ,pi
B
h {xi −−−→ yi | i ∈ I} ∪ {xj −−−→ | j ∈ J} ∪ {xh −−→ | h ∈ H}
a,
i∈I pi
·wρ
j∈J (1−pj ) − f (→ x ) −−−−−−−−−−−→ t
where: I, J, H are subsets of {1, . . . , ar(f )} such that J ⊆ I; ai ∈ Act for i ∈ I, Aj ⊆ Act for j ∈ J, Bh ⊆ Act for h ∈ H, a ∈ Act; for all i ∈ I and j ∈ J such that i = j, it holds that ai ∈ Aj ; pi is a variable with range (0, 1] for i ∈ I, pj is a variable with range [0, 1) for j ∈ J; → 5. t is a term over Σ and − x ∪ {yi | i ∈ I}; 6. wρ is the weight of ρ and satisfies 0 < wρ ≤ 1. 1. 2. 3. 4.
ai ,pi
Transitions {xi −−−→ yi |i ∈ I} are the active premises; variables {xi |i ∈ Aj ,pj
I} are the active variables; transitions {xj −−−→ |j ∈ J} are the unneeded B
h premises; transitions {xh −−→ |h ∈ H} are the unquantified premises; transition
a,
i∈I pi
·wρ
j∈J (1−pj ) − → f (→ x ) −−−−−−−−−−−→ t is the conclusion; f (− x ) is the source; t is the target of ρ. → − Given terms t , values {qi | i ∈ I} in (0, 1], and values {qj | j ∈ J} in [0, 1), → → − → − → a,q − − → −→ t[ t /− x ][→ s /− y ], with q = Def. 5 says that term f ( t ) has the move f ( t ) − a ,q q i i i∈I i · wρ , provided that ti has the move ti − −−→ si , for all i ∈ I, the sum (1−q ) j∈J
j
of the probability of the moves of tj with label in Aj is qj , for all j ∈ J, and th has at least one move with label in Bh , for all h ∈ H. Notice that the conclusion is triggered by both active and unquantified premises, and does not require unneeded premises, meaning that pj could be 0 for some j ∈ J. Unneeded premises are used to compute the probability of the conclusion. More precisely, they permit normalization of probability, which, as we will see in next sections, is needed in several operations of process algebras, such as restriction andpriority. The probability of the conclusion depends on the pi weight of ρ and on i∈I , which is the conditional probability that all xi j∈J (1−pj ) perform ai under the assumption that all xj are not allowed to perform actions in Aj . Unquantified premises do not contribute in computing the probability of the conclusion. They are “necessary conditions” for the application of ρ. Definition 6. A PB transition system specification (PB TSS, for short) is formed by a set R of PB transition rules such that:
Probabilistic Congruence for Semistochastic Generative Processes
67
1. R is partitioned into n strata R1 , . . . , Rn , for some n ∈ IN; → 2. for each stratum Ru , operation f and tuple of variables − x = x1 , . . . , xar(f ) → s.t. Ru has at least one PB transition rule with source f (− x ), it holds that: → − (a) All PB transition rules with source f ( x ) in stratum Ru have the same B
h set of unquantified premises {xh −−→ | h ∈ H}; → (b) All PB transition rules with source f (− x ) in stratum Ru have the same
Aj ,pj
set of unneeded premises {xj −−−→ | j ∈ J}; → (c) All PB transition rules with source f (− x ) in stratum Ru have the same set of active variables {xi | i ∈ I}; (d) Given actions {ai | i ∈ I} such that ai ∈ Aj for all indexes i and j Aj ,pj
with i = j and xj −−−→ an unneeded premise, then there is at least → one PB transition rule with source f (− x ) in Ru with active premises a ,pi
{xi −−i−→ yi | i ∈ I}; → (e) Given the PB transition rules ρ1 , . . . , ρm in Ru with source f (− x ) having the same active premises, their weights satisfy wρ1 + · · · + wρm = 1. The meaning of clause 1 is that the rules in stratum Ru can be applied only if no rule in strata R1 , . . . , Ru−1 can be applied (see Def. 7 below). Let us take any f ∈ Σ. Clause 2a implies that unquantified premises trigger → either all rules with source f (− x ) in Ru , or none of them. In the first case, we can → − prove that clauses 2b–2e ensure that, given semistochastic processes t , then the → − sum of the probability of the moves of f ( t ) that are derivable by the rules in Ru is either 0 or 1. Let us distinguish two cases. In the first case, some ti with i ∈ I is not stochastic. Since it is semistochastic, ti has no move. Hence, since → − clause 2c implies that a move of ti is needed to infer a move of f ( t ), no move → − of f ( t ) can be derived from the rules in stratum Ru , and, therefore, the sum → − of the probability of the moves of f ( t ) derivable from Ru is 0. In the second case, all ti with i ∈ I are stochastic. Let us assume that, for all j ∈ J, qj is Aj ,qj the probability such that tj −−−→. Value j∈J (1 − qj ) is the probability that each tj does not perform any action in Aj . All combinations of arbitrary moves ai ,qi {ti −−−→ ti | i ∈ I}, with ai ∈ Act for each i ∈ I, fall into two categories: – Some ai is in Aj for the index j = i. Clause 3 of Def. 5 ensures that no move → − ai ,qi of f ( t ) is inferred by rules in Ru from moves {ti −−−→ ti | i ∈ I}. – No ai is such that ai ∈ Aj for any index j = i. Since ti is semistochastic, this implies qj = 1 for all j ∈ J. By clause 2d of Def. 6 there exist → x ) in Ru , for some m ∈ IN, with active rules ρ1 , . . . , ρm with source f (− → − ai ,pi −−→ yi | i ∈ I}. premises {xi − Hence, f ( t ) has m moves with probabilities qi q i∈I i . Notice that these probabilities are well wρ1 · i∈I (1−q ) , . . . , wρm · (1−q ) j∈J
j
j∈J
j
+ · · · + wρm = 1 by clause defined, since qj = 1 for all j ∈ J. Now, since wρ 1 2e of Def. 6, the sum of these probabilities is
i∈I qi j∈J (1−qj )
.
68
R. Lanotte and S. Tini
→ − Since we have assumed that all t are stochastic, and that for all j ∈ J, qj is the Aj ,qj
probability of tj −−−→, the overall probabilities of the combinations of moves ai ,qi {ti −−−→ ti | i ∈ I} falling in the second category is j∈J (1−qj ). Hence, if qj = 1 → − for some j ∈ J, f ( t ) has no move and the sum of the probability of the moves → − of f ( t ) derivable from Ru is 0. Otherwise, if qj = 1 for all j ∈ J, the sum of (1−q ) → − the probability of the moves of f ( t ) derivable from Ru is j∈J (1−qj ) = 1. j∈J j We can now formalize how PTSs are generated by PB TSSs. Definition 7. Assume a PB TSS with strata R1 , . . . , Rn . a,q
1. A transition t −−→ s is provable from stratum Ru iff there is a closed substiai ,qi
Aj ,qj
B
h {t −−−→ si | i ∈ I} ∪ {tj −−−→ | j ∈ J} ∪ {th −−→ | h ∈ H} tution instance i a,q t −−→ s of a PB transition rule in Ru such that: ai ,qi (a) for all i ∈ I, ti −−−→ si is a transition provable from the TSS; a,q (b) for all j ∈ J, qj = {|q|∃a ∈ Aj , s : tj −−→ s is provable from the TSS|};
a,qh
(c) for all h ∈ H, at least one transition th −−−→ uh with a ∈ Bh is provable from the TSS, for some qh and uh ; a,q 2. A transition t −−→ s is provable from the TSS if it is provable from some stratum Ru and no transition with source t is provable from strata R1 , . . . , Ru−1 . Moves of terms are proved inductively w.r.t. their structure. In fact, first of all we can prove moves of constants from strata R1 , . . . , Rn and, then, we can prove moves of constants from the TSS. This is possible since PB transition rules → − having a constant as source have no premise. Then, after moves of terms t have → − been proved from the TSS, we can prove moves of f ( t ) from R1 , . . . , Rn and, → − then, we can prove moves of f ( t ) from the TSS. Let us recall that, according to the classical definition (see, e.g., [12]), a (nona → t is provable from a given TSS iff there exists a wellprobabilistic) transition t − founded, upwardly branching tree whose nodes are labeled by closed transitions, a whose leaves have empty label, whose root is labeled by t − → t , and, whenever K is the (possibly empty) set of labels of the nodes directly above a node labeled by β, then K/β is a closed substitution instance of a transition rule in the TSS. We need a more complicated definition since our rules have the unneeded premises and the unquantified premises that are not “pure” transitions. Hence, we cannot construct the branching tree that is considered in the classical definition. Moreover, as in [19], we have to take into account that there is an ordering relation between the transition rules, given by the partitioning in n strata. Definition 8. The PTS induced by a PB TSS is the PTS having as transitions the transitions that are provable from the TSS.
Probabilistic Congruence for Semistochastic Generative Processes
4
69
Examples
In this section we show that most of operations offered by the probabilistic process algebras proposed in the literature can be expressed by our PB TSSs. Example 1 (Constants). Stratum R1 contains the following rule, for all a ∈ Act: a,1
a −−→ 0 Term a performs action a, and, then, it behaves as the idle process 0. Let us show now that we can express the probabilistic sum of [2, 3, 8, 9, 11]. Example 2 (Probabilistic sum). Let 0 < p < 1. Stratum R1 contains the following rules, for all a1 , a2 ∈ Act, where p and 1 − p are their weights: a1 ,p1
a2 ,p2
a1 ,p1
a2 ,p2
x1 −−−→ y1 x2 −−−→ y2
x1 −−−→ y1 x2 −−−→ y2
x1 +p x2 −−−−−−→ y1
x1 +p x2 −−−−−−−−−→ y2
a1 ,p1 ·p2 ·p
a2 ,p1 ·p2 ·(1−p)
Stratum R2 contains the following rule, for all a1 ∈ Act: a1 ,p1
x1 −−−→ y1 a1 ,p1
x1 +p x2 −−−→ y1 Stratum R3 contains the following rule, for all a2 ∈ Act: a2 ,p2
x2 −−−→ y2 a2 ,p2
x1 +p x2 −−−→ y2 Let us take term t1 +p t2 . Index p means that, when both t1 and t2 can move, t1 moves with probability p, and t2 moves with probability 1 − p. Rules in R1 (with weights p and 1 − p) are applied when both t1 and t2 are stochastic; rules in R2 (with weight 1) are applied when only t1 is stochastic; rules in R3 (with weight 1) are applied when only t2 is stochastic. In the first case, since t2 (resp. t1 ) a1 ,p1 is stochastic and the sum of the probability of its moves is 1, from t1 −−−→ t1 a2 ,p2 (resp. t2 −−−→ t2 ) we infer moves of t1 +p t2 labeled a1 (resp. a2 ) with total a1 ,p1 probability p1 · p (resp. p2 · (1 − p)). In the other two cases, from t1 −−−→ t1 a2 ,p2 a a ,p ,p 1 1 2 2 (resp. t2 −−−→ t2 ), we infer t1 +p t2 −−−→ t1 (resp. t1 +p t2 −−−→ t2 ). Let us consider now the interleaving operation of [3]. Example 3 (Interleaving). Let 0 < p < 1. Stratum R1 contains the following rules, for all a1 , a2 ∈ Act, where p and 1 − p are their weights: a1 ,p1
a2 ,p2
a1 ,p1
a2 ,p2
x1 −−−→ y1 x2 −−−→ y2
x1 −−−→ y1 x2 −−−→ y2
x1 p x2 −−−−−−→ y1 p x2
x1 p x2 −−−−−−−−−→ x1 p y2
a1 ,p1 ·p2 ·p
a2 ,p1 ·p2 ·(1−p)
70
R. Lanotte and S. Tini
Stratum R2 contains the following rules, for all a1 ∈ Act: a1 ,p1
x1 −−−→ y1 a1 ,p1
x1 p x2 −−−→ y1 p x2 Stratum R3 contains the following rules, for all a2 ∈ Act: a2 ,p2
x2 −−−→ y2 a2 ,p2
x1 p x2 −−−→ x1 p y2 As in Ex. 2, given a term t1 p t2 , index p means that, when both t1 and t2 can move, t1 moves with probability p, and t2 moves with probability 1 − p. Let us consider now the synchronous product of PCCS [10, 11]. Example 4 (Synchronous product). Stratum R1 contains the following rules, for all a1 , a2 ∈ Act: a1 ,p1 a2 ,p2 x1 −−−→ y1 x2 −−−→ y2 a1 ×a2 ,p1 ·p2
x1 x2 −−−−−−−−→ y1 y2 Here, at each computation step, term t1 t2 can move only by combining an action of t1 and an action of t2 . Actions are composed by means of operator ×. Let us consider now the probabilistic version of CCS parallel composition [3]. Example 5 (Interleaving plus synchronization). Let 0 < p, q < 1. Stratum R1 contains the following rules, for all a1 , a2 ∈ Act such that a2 = a1 : a1 ,p1
a2 ,p2
a1 ,p1
a2 ,p2
x1 −−−→ y1 x2 −−−→ y2
x1 −−−→ y1 x2 −−−→ y2
x1 pq x2 −−−−−−→ y1 pq x2
x1 pq x2 −−−−−−−−−→ x1 pq y2
a1 ,p1 ·p2 ·p
a1 ,p1
a2 ,p1 ·p2 ·(1−p)
a1 ,p1
a1 ,p2
x1 −−−→ y1 x2 −−−→ y2
a1 ,p2
x1 −−−→ y1 x2 −−−→ y2
a1 ,p1 ·p2 ·p·(1−q)
x1 pq x2 −−−−−−−−−−→ y1 pq x2
a1 ,p1 ·p2 ·(1−p)·(1−q)
x1 pq x2 −−−−−−−−−−−−−→ x1 pq y2
a1 ,p1
a1 ,p2
x1 −−−→ y1 x2 −−−→ y2 τ,p1 ·p2 ·q
x1 pq x2 −−−−−→ y1 pq y2 Stratum R2 contains the following rules, for all a1 ∈ Act: a1 ,p1
x1 −−−→ y1 a1 ,p1
x1 pq x2 −−−→ y1 pq x2 Stratum R3 contains the following rules, for all a2 ∈ Act: a2 ,p2
x2 −−−→ y2 a2 ,p2
x1 pq x2 −−−→ x1 pq y2
Probabilistic Congruence for Semistochastic Generative Processes
71
Let us take t1 pq t2 . When t1 and t2 intend to perform actions a1 and a2 with a2 = a1 , t1 moves with probability p and t2 moves with probability 1 − p, as in the case of interleaving operator of Ex. 3. When t1 and t2 intend to perform actions a1 and a1 , either they synchronize with probability q, thus producing action τ , or they do not synchronize with probability 1 − q. In this second case, t1 moves with probability p·(1−q), and t2 moves with probability (1−p)·(1−q). Let us consider now the operation of sequential composition of terms of [3]. Example 6 (Sequencing). Stratum R1 contains the following rules, for a1 ∈ Act: a1 ,p1
x1 −−−→ y1 a1 ,p1
x1 · x2 −−−→ y1 · x2 Stratum R2 contains the following transition rules, for all a2 ∈ Act: a2 ,p2
x2 −−−→ y2 a2 ,p2
x1 · x2 −−−→ y2 Let us take t1 · t2 . If t1 moves, then rules in R1 can be applied and t1 · t2 moves as t1 , else, if t2 moves, rules in R2 can be applied and t1 · t2 moves as t2 . Let us consider now the restriction operation of [2, 8, 9, 11]. This is the first example in which we employ unneeded premises. Example 7 (Restriction). Let A ⊆ Act. Stratum R1 contains the following rules, for all a1 ∈ Act \ A: a1 ,p1
A,p
x1 −−−→ y1 x1 −−→ p
1 a1 , 1−p
x1 \A −−−−→ y1 \A Term t1\A behaves as t1 , but it cannot perform actions in A. Let us assume that A,q
the sum of the probability of the moves of t1 with label in A is q, i.e. t1 −−→. If q = 1, then no move of t1 \A can be inferred by the rules in R1 . Hence, t1 \A a1 ,q1 has no move and it is semistochastic. If t1 has a move t1 −−−→ t1 , with a1 ∈ A, q1 , which is the conditional then t1\ A has the same move, but with probability 1−q a1 ,q1
probability that t1 has the move t1 −−−→ t1 under the assumption that t1 is not allowed to perform actions in A. Hence, the sum of the probability of the moves of t1 \A is 1−q 1−q = 1, and t1 \A is stochastic. Let us consider now the operator of priority. This is the first example in which we employ unquantified premises. Example 8 (Priority of a over b). Let a, b ∈ Act. Stratum R1 contains the following rules, for all a1 ∈ Act \ {b}: a1 ,p1
{b},p
x1 −−−→ y1 x1 −−−→ p
1 a1 , 1−p
{a}
x1 −−→
ϑab (x1 ) −−−−→ ϑab (y1 )
72
R. Lanotte and S. Tini
Stratum R2 contains the following rules, for all a1 ∈ Act: a1 ,p1
x1 −−−→ y1 a1 ,p1
ϑab (x1 ) −−−→ ϑab (y1 ) Term ϑab (t1 ) behaves as t1 , but it can perform action b only if it cannot perform a. Rules in R1 are applied only if t1 can perform a. In this case, if the sum of the {b},q
probability of the moves of t1 labeled b is q (i.e. t1 −−−→), then, from any move a1 ,q1 t1 −−−→ t1 with a1 = b, we infer a move of ϑab (t1 ) with label a1 and probability a1 ,q1 q1 1−q , which is the conditional probability that t1 has the move t1 −−−→ t1 under the assumption that t1 is not allowed to perform b. So, the sum of the probability a of the moves of ϑab (t1 ) is 1−q 1−q = 1, and ϑb (t1 ) is stochastic. Rules in R2 can be applied only if t1 cannot perform a. In this case, ϑab (t1 ) behaves as t1 .
5
Results
Theorem 1. The PTS induced by any PB TSS is semistochastic. Proof. We have to prove that, given an arbitrary term t, the sum of the probability of the moves of t is either 0 or 1. This property follows by two facts: 1) The moves of t can be derived only by the rules that are in one stratum Ru ; 2) the sum of the probability of the moves of t derivable by the rules in any stratum Ru is either 0 or 1, as we have proved in the previous section. Theorem 2. The probabilistic bisimulation induced by any PB TSS is a congruence. Proof. Let R be the least equivalence relation over PTS states such that: 1. s R t whenever s ≈ t; → − − 2. f (→ s ) R f ( t ) whenever s1 R t1 , . . . , sar(f ) R tar(f ) . → Lemma 1. Given a term u over variables − x = x1 , . . . , xn and tuples of terms → − → − s = s1 , . . . , sn and t = t1 , . . . , tn , if si R ti holds for all 1 ≤ i ≤ n, then → → − → → u[ t /− x ] R u[− s /− x ]. To prove the thesis, it suffices to prove that, for arbitrary terms s and t, s R t implies s ≈ t. In fact, by the two clauses of the definition of R, this property implies that R and ≈ coincide and that ≈ is a congruence. Let us reason by induction over the definition of R. The base case where s R t is due to s ≈ t is immediate. Let us concentrate on the inductive step, → − → where s ≡ f (− s ), t ≡ f ( t ), and s R t is due to s1 R t1 , . . . , sar(f ) R tar(f ) . We can assume, by the inductive hypothesis, that s1 ≈ t1 , . . . , sar(f ) ≈ tar(f ) .
Probabilistic Congruence for Semistochastic Generative Processes
73
We have to prove that, for any value 0 < q ≤ 1, action a ∈ Act and equiv→ − → alence class S ∈ S/R, µ(f (− s ), a, S) = q iff µ(f ( t ), a, S) = q. We prove that → − → − µ(f ( s ), a, S) = q implies µ(f ( t ), a, S) = q; the converse is analogous. → Since µ(f (− s ), a, S) = q, it holds that in some stratum Ru of the TSS, and for some k ∈ IN, there exist PB transition rules ρ1 , . . . , ρk such that: a,ql,1 → s ) −−−→ ul,1 , . . . , 1. for all 1 ≤ l ≤ k, from rule ρl we infer ml transitions f (− a,ql,ml → f (− s ) −− −−→ ul,ml , for some ml ∈ IN; 2. 1≤l≤k 1≤i≤ml ql,i = q; 3. for all 1 ≤ l ≤ k, ul,1 , . . . , ul,ml ∈ S,
→ and, moreover, no move of f (− s ) is derived from rules in R1 , . . . , Ru−1 . Let us consider any 1 ≤ l ≤ k. Transition rule ρl has the form Aj ,pj
ai ,pi
B
h {xi −−−→ yi | i ∈ I} ∪ {xj −−−→ | j ∈ J} ∪ {xh −−→ | h ∈ H}
a,
i∈I pi
·wρ
l j∈J (1−pj ) − x ) −−−−−−−−−−−→ t f (→
a,ql,ml a,ql,1 → → Since f (− s ) −−−→ ul,1 , . . . , f (− ul,ml are derived from ρl , it holds that: s ) −−−−→
1. for all i ∈ I, there are states Si s.t. µ(si , ai , Si ) = qi , for some 0 < qi ≤ 1; Aj ,qj
2. for all j ∈ J, sj −−−→, for some 0 ≤ qj < 1; B
h 3. for all h ∈ H, sh −−→; 4. ql,1 + · · · + ql,ml = wρl ·
i∈I qi j∈J (1−qj )
.
By the inductive hypothesis, it follows that: 1. for all i ∈ I, there is a set of states Si such that µ(ti , ai , Si ) = qi and, for all s ∈ Si ,there is some state s ∈ Si such that s R s ; Aj ,qj
2. for all j ∈ J, tj −−−→; B
h 3. for all h ∈ H, th −−→.
→ a,ql,1 − → a,ql,nl − Hence, by applying ρl , we infer nl moves f ( t ) −−−→ v1 , . . . f ( t ) −−−−→ vnl , for some nl ∈ IN, where:
1. v1 , . . . , vnl ∈ S, by Lemma 1 and the fact that for all s ∈ Si there is some state s ∈ Si such that s R s ; 2. ql,1 + · · · + ql,n = ql,1 + · · · + ql,ml . l Since these arguments hold for all 1 ≤ l ≤ k, it follows that by ρ1 , . . . , ρk we → − derive µ(f ( t ), a, S) = q, which implies the thesis. It remains to prove that we → − can apply ρ1 , . . . , ρk , i.e. no move of f ( t ) can be derived by any rule in any → stratum Rv with v < u. This follows by the fact that no move of f (− s ) can be derived by any rule in these strata, and that si ≈ ti for 1 ≤ i ≤ ar(f ).
74
6
R. Lanotte and S. Tini
Extensions
The PB transition rules of Def. 5 extend the rules matching the de Simone format [16] with probability, unneeded premises and unquantified premises. Here we show how we can add to our rules some features offered by other formats proposed in the literature of non probabilistic process algebras. ai The GSOS format [7] admits negative premises of the form xi −→ in rules → with source f (− x ), meaning that the ith argument of f does not perform any action labeled ai . In [19] a result is proved which assesses that negative premises can be simulated by suitable ordering relations between rules. Since the partitioning in strata of Def. 6 introduces ordering relations between PB transition rules that are less general than those used in [19], it would be interesting to extend Def. 6 to capture all the ordering relations of [19]. → The GSOS format admits also double testing. Namely, rules with source f (− x) ai1 ai2 can have two (or more) premises xi −−→ yi1 and xi −−→ yi2 with the same variable xi in the left side. Let us show how we can add double testing to our rules. Definition 9. A PB transition rule with double testing ρ is of the form Aj ,pj
ai ,pi
B
h l {xi −−l−−→ yil | i ∈ I, l ∈ Ii } ∪ {xj −−−→ | j ∈ J} ∪ {xh −−→ | h ∈ H}
a,
i∈I l∈Ii pil j∈J (1−pj )
·wρ
→ →t f (− x ) −−−−−−−−−−−−− where: 1. clauses 1-6 of Def. 5 are respected; 2. for all i ∈ I, it holds that ail = ail for all l, l ∈ Ii such that l = l ; 3. for all i ∈ I and l ∈ Ii , if |Ii | > 1 then there is an h = i such that ail ∈ Bh . Definition 10. A PB TSS with double testing is defined as in Def. 6, except that clause 2d is replaced by the following clause: – Given actions {ai | i ∈ I} such that ai ∈ Aj for all indexes i and j with i = j Aj ,pj
and xj −−−→ an unneeded premise, then there at least one PB transition rule a ,pi → with source f (− x ) in R containing the active premises {x −−i−→ y | i ∈ I}. u
i
i
To explain clause 2 in Def. 9, let us take the following rule, which violates it: a,p1
x1 −−→ y1
a,p2
x1 −−→ y2 b,p1 +p2
f (x1 ) −−−−−→ 0 a,1
b,2
Let t be the PCCS term a·0, which has the move t −−→ 0. It holds that f (t) −−→ 0, and, therefore, f (t) is not semistochastic. The problem is that the probability of the same move of t is summed twice when computing the probability of the
Probabilistic Congruence for Semistochastic Generative Processes
75
move of f (t). Clause 2 in Def. 9 prevents this problem, since different moves of the same argument of f can appear as premises only if they have different labels. To explain clause 3 in Def. 9, let us take the following rules, and note that the first one violates it: a,p1
b,p2
x1 −−→ y1 x1 −−→ y2 d,p1 +p2
f (x1 ) −−−−−→ 0
c,p1
x1 −−→ y1 e,p1
f (x1 ) −−→ 0 a, 1
1
c, 1
2 2 Let t be the PCCS term a · 0 + 2 c · 0, which has the moves t −−→ 0 and t −−→
e, 1
2 0. It holds that f (t) −−→ 0 is the only move of f (t), which, therefore, is not semistochastic. The problem is that the probability of the move of t labeled a does not contribute in computing the probability of any move of f (t), since t has a,p1 no move labeled b and the premise x1 −−→ y1 appears only in the rule where b,p2 there is also the premise x1 −−→ y2 . Clause 3 in Def. 9 prevents this problem, a,p1 b,p2 since premises x1 −−→ y1 and x1 −−→ y2 are admitted only in rules that are in B → with a, b ∈ B. strata where all rules have an unquantified premise x1 − Finally, notice that the new clause of Def. 10 requires that at least one rule
a ,pi
in Ru contains the premises {xi −−i−→ yi | i ∈ I}, whereas the corresponding clause in Def. 6 requires that at least one rule in Ru has exactly the premises a ,pi
{xi −−i−→ yi | i ∈ I}. The new clause allows double testing. Theorem 3. The PTS induced by any PB TSS with double testing is semistochastic. The probabilistic bisimulation induced by any PB TSS with double testing is a congruence. The tyxt/tyft format [12] admits look ahead. Namely, transition rules with
i i → source f (− x ) can have premises xi −→ yi and yi −→ zi , with the same variable yi appearing in the right side of the first premise and in the left side of the second premise. Let us show how we can add look ahead to our PB TSSs.
a
b
Definition 11. A PB transition rule with look ahead ρ is of the form ai ,pi
Aj ,pj
bi ,ri
h {xi −−−→ yi |i ∈ I} ∪ {yi −−−→ zi |i ∈ I } ∪ {xj −−−→ |j ∈ J} ∪ {xh −−→ |h ∈ H}
a,
p · p ·r i∈I\I i i∈I i i j∈J (1−pj )
B
·wρ
→ f (− x ) −−−−−−−−−−−−−−−−−→ t where: 1. clauses 1-6 of Def. 5 are respected; 2. I ⊆ I. Also variables yi with i ∈ I are called active variables. Definition 12. A PB TSS with look ahead is defined as in Def. 6, except that clauses 2c and 2d are replaced by the following clauses:
76
R. Lanotte and S. Tini
→ 1. All PB transition rules with source f (− x ) in stratum Ru have the same set of active variables {xi | i ∈ I} ∪ {yi | i ∈ I }; 2. Given actions {ai | i ∈ I} such that ai ∈ Aj for all indexes i and j with i = j Aj ,pj
and xj −−−→ an unneeded premise, and actions bi for all indexes i ∈ I , → then there is at least one PB transition rule with source f (− x ) in Ru with a ,pi
b ,ri
i active premises {xi −−i−→ yi | i ∈ I} ∪ {yi −− −→ zi | i ∈ I }.
The new clauses in Deff. 11–12 extend clauses in Deff. 5–6 to take into account that two consecutive moves of xi are considered for all i ∈ I . Theorem 4. The PTS induced by any PB TSS with look ahead is semistochastic. The probabilistic bisimulation induced by any PB TSS with look ahead is a congruence. Definitions of PB transition rule and PB TSS admitting both double testing and look ahead could be given immediately. By combining results of Thm. 3 and Thm. 4 we infer that the PB TSSs so obtained would induce semistochastic PTSs and probabilistic bisimulations being congruences. Both path format [4] and panth format [20] admit predicates, i.e. transitions of the form t P , meaning that term t satisfies some property expressed by P . Since predicates have nothing to do with probability, they can be added to PB transitions rules and PB TSSs, without affecting results in Thm. 1 and Thm. 2.
7
Related and Future Work
In this paper we have proposed a rule format for probabilistic process algebras. We believe that our format has four main merits: 1) probabilistic bisimulation is a congruence w.r.t. process algebra operations respecting the format; 2) semistochasticity is preserved by process algebra operations respecting the format; 3) the main operations offered by the probabilistic process algebras studied in the literature are captured by the format, which, therefore, has practical applications; 4) features offered by known rule formats proposed for classic process algebras, such as look ahead and double testing, are offered by the format. Now, let us recall that in [6] a rule format for probabilistic process algebras has been already proposed. The first difference between our paper and [6] is that we consider the generative model of probabilistic processes, whereas [6] considers the reactive model. Then, our definition of TSS requires some conditions (i.e. clauses 2c–2e in Def. 6) that guarantee semistochasticity. In [6] no syntactic constraint on transition rules guarantees semistochasticity of reactive processes, i.e. the property that the sum of the probability of the moves of any process for the same label is either 0 or 1. Hence, in [6] semistochasticity is not ensured by the format. In [6] neither unquantified premises nor unneeded premises nor stratification are considered. We need these features to express operations requiring redistribution of probability, such as restriction (see Ex. 7) and priority (see Ex.
Probabilistic Congruence for Semistochastic Generative Processes
77
8). In the reactive model restriction and priority do not require redistribution of probability, and, therefore, they can be expressed with the format in [6]. Problems in [6] arise in other operations requiring redistribution of probability, such as the relabeling operation t[f ], where f : Act −→ Act is a relabeling functions. Our results can be extended in several directions. We aim to develop a rule format for the reactive model of probabilistic processes that guarantees results analogous to those obtained in the present paper, i.e. bisimulation being a congruence, operations preserving semistochasticity, expressiveness. Moreover, we aim to develop rule formats for other behavioral equivalences, such as probabilistic weak bisimulation [5], and probabilistic testing equivalence [21]. Finally, we aim to develop rule formats guaranteeing that security properties for probabilistic processes, such as those defined in [2], are respected by process algebra operations, on the same line followed in [17, 18] for classic process algebras.
References 1. L. Aceto, W. J. Fokkink, and C. Verhoef: Structural Operational Semantics. Handbook of Process Algebra, Elsevier, Amsterdam, 2001, 197–292. 2. A. Aldini, M. Bravetti, and R. Gorrieri: A Process-algebraic Approach for the Analysis of Probabilistic Non-interference. J. Comput. Secur. 12, 2004, 191–245. 3. J. C. M. Baeten, J. A. Bergstra, and S. A. Smolka: Axiomatizing Probabilistic Processes: ACP with Generative Probabilities. Inf. Comput. 121, 1995, 234–255. 4. J. C. M. Baeten and C. Verhoef: A Congruence Theorem for Structured Operational Semantics with Predicates. Proc. Concurrency Theory, LNCS 715, 1993. 5. C. Baier and H. Hermanns: Weak Bisimulation for Fully Probabilistic Processes. Proc. Computer Aided Verification, LNCS 1254, 1997, 119-130. 6. F. Bartels: GSOS for Probabilistic Transition Systems. Proc. Coalgebraic Methods in Computer Science, ENTCS 65, 2002. 7. B. Bloom, S. Istrail, and A. Meyer: Bisimulation Can’t Be Traced. J. Assoc. Comput. Mach. 42, 1995, 232–268. 8. M. Bravetti and A. Aldini: Discrete Time Generative-reactive Probabilistic Processes with Different Advancing Speeds. Theor. Comput. Sci. 290, 2003, 355–406. 9. P. R. D’Argenio, H. Hermanns, and J. P. Katoen: On Generative Parallel Composition. Proc. Probabilistic Methods in Verification, ENTCS 22, 1999. 10. A. Giacalone, C.C. Jou, and S.A. Smolka: Algebraic Reasoning for Probabilistic Concurrent Systems. IFIP Work. Conf. on Progr., Concepts and Methods, 1990. 11. R. J. van Glabbeek, S. A. Smolka, and B. Steffen: Reactive, Generative and Stratified Models of Probabilistic Processes. Inf. Comput. 121, 1995, 59–80. 12. J. F. Groote and F. Vaandrager: Structured Operational Semantics and Bisimulation as a Congruence. Inf. Comput. 100, 1992, 202–260. 13. B. Jonsson, K. L. Larsen, and W. Yi: Probabilistic Extensions of Process Algebras. Handbook of Process Algebra, Elsevier, Amsterdam, 2001. 14. G. Plotkin: A Structural Approach to Operational Semantics. Technical report DAIMI FN-19, University of Aarhus, 1981. 15. G. Plotkin: A Structural Approach to Operational Semantics. J. Log. Algebr. Program. 60–61, 2004, 17–139. 16. R. de Simone: Higher-level Synchronizing Devices in Meije-SCCS. Theor. Comput. Sci. 37, 1985, 245–267.
78
R. Lanotte and S. Tini
17. S. Tini: Rule Formats for Non-Interference. Proc. European Symp. on Programming, LNCS 2618, 2003, 129–143. 18. S. Tini: Rule Formats for Compositional non Interference Properties. J. Log. Algebr. Program. 60–61, 2004, 353-400. 19. I. Ulidowski and I. Phillips: Ordered SOS Process Languages for Branching and Eager Bisimulations. Inf. Comput. 178, 2002, 180–213. 20. C. Verhoef: A Congruence Theorem for Structural Operational Semantics with Predicates and Negative Premises. Nord. J. Comput. 2, 1995, 274–302. 21. S. H. Wu, S. A. Smolka, and E. W. Stark: Composition and Behaviors of Probabilistic I/O Automata. Theor. Comput. Sci. 176, 1997, 1–38.